AAA Authentication via TACACS+

Most enteprise companies authenticate network users via TACACS+ to a Cisco ACS Server. This is useful for single sign-on, management and tracking. This lab will discuss and demonstrate the configuration of a TACACS+ AAA Authentication List.

Real World Application

No network engineer wants to spend countless hours of time maintaining local user accounts on hundreds of Cisco devices. This issue was foreseen many many years ago and resolved with AAA. With AAA you can configure the Cisco device rather it be a router or switch to authentication to a centralized user authentication database. Cisco sells a solution called the Cisco Secure Access Server which is commonly used in networks larger then 50 nodes to provide centralized authentication, authorization and accounting services for network devices.

Please note that the contents found in this lab are not part of the CCNA (640-802) Exam objectives, however this material can be found on the new CCNA Security certification; (Exam: 840-553 – IINS). This lab was created to provide you a basic understanding of AAA; that of which is commonly used in production networks for authentication, authorization and accounting.

Lab Prerequisites

If you are using GNS3 than load the Free CCNA Workbook GNS3 topology and start R1.

Step 2. – Now configure the AAA login authentication list name CONSOLE_AUTH to authenticate to the tacacs server first and fail back to the local user database in the event of a server failure. As previously shown in Lab 3-2 the authtype was just local. The AAA login authentication list follows the authtype in order from first to last in the syntax. To configure the list to authenticate to the tacacs server, add group tacacs+ prior to local

To complete the 2nd objective; authenticate to the tacacs server then failback to the local database when the server fails, execute the Lab 3-2; login authentication CONSOLE_AUTH with group tacacs local appended to it as shown below;

You will be unable to verify the actual TACACS server authentication as no TACACS server exist in this lab. You can download a trial copy of Cisco ACS and configure the server to authenticate Cisco devices but that is outside of the scope of CCNA and CCNA Security. For verification purposes, use the prerequisites configured local database username and password with level 15 privileges.

Router con0 is now available
Press RETURN to get started.
User Access Verification
Username: john
Password:
Router>